Accepting request 873406 from home:jsegitz:branches:network
- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login as root via password by default (is also upstream default). Comment indicates that this was a temporary meassure that we now had for five years, time to get rid of it (bsc#1173067) OBS-URL: https://build.opensuse.org/request/show/873406 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=229
This commit is contained in:
parent
4b2c4475a9
commit
d13558019e
@ -5,12 +5,6 @@ There are following changes in default settings of ssh client and server:
|
|||||||
|
|
||||||
* PAM authentication is enabled and mostly even required, do not turn it off.
|
* PAM authentication is enabled and mostly even required, do not turn it off.
|
||||||
|
|
||||||
* root authentiation with password is enabled by default (PermitRootLogin yes).
|
|
||||||
NOTE: this has security implications and is only done in order to not change
|
|
||||||
behaviour of the server in an update. We strongly suggest setting this option
|
|
||||||
either "prohibit-password" or even better to "no" (which disables direct
|
|
||||||
remote root login entirely).
|
|
||||||
|
|
||||||
* DSA authentication is enabled by default for maximum compatibility.
|
* DSA authentication is enabled by default for maximum compatibility.
|
||||||
NOTE: do not use DSA authentication since it is being phased out for a reason
|
NOTE: do not use DSA authentication since it is being phased out for a reason
|
||||||
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
- the size of DSA keys is limited by the standard to 1024 bits which cannot
|
||||||
|
@ -1,59 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# Parent af43d436bc7fe818dd976c923ad99b89051eb299
|
|
||||||
Allow root login with password by default. While less secure than upstream
|
|
||||||
default of forbidding access to the root account with a password, we are
|
|
||||||
temporarily introducing this change to keep the default used in older OpenSSH
|
|
||||||
versions shipped with SLE.
|
|
||||||
|
|
||||||
Index: openssh-8.4p1/servconf.c
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/servconf.c
|
|
||||||
+++ openssh-8.4p1/servconf.c
|
|
||||||
@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
|
|
||||||
if (options->login_grace_time == -1)
|
|
||||||
options->login_grace_time = 120;
|
|
||||||
if (options->permit_root_login == PERMIT_NOT_SET)
|
|
||||||
- options->permit_root_login = PERMIT_NO_PASSWD;
|
|
||||||
+ options->permit_root_login = PERMIT_YES;
|
|
||||||
if (options->ignore_rhosts == -1)
|
|
||||||
options->ignore_rhosts = 1;
|
|
||||||
if (options->ignore_user_known_hosts == -1)
|
|
||||||
Index: openssh-8.4p1/sshd_config
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/sshd_config
|
|
||||||
+++ openssh-8.4p1/sshd_config
|
|
||||||
@@ -29,7 +29,7 @@
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin prohibit-password
|
|
||||||
+PermitRootLogin yes
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
||||||
Index: openssh-8.4p1/sshd_config.0
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/sshd_config.0
|
|
||||||
+++ openssh-8.4p1/sshd_config.0
|
|
||||||
@@ -778,7 +778,7 @@ DESCRIPTION
|
|
||||||
PermitRootLogin
|
|
||||||
Specifies whether root can log in using ssh(1). The argument
|
|
||||||
must be yes, prohibit-password, forced-commands-only, or no. The
|
|
||||||
- default is prohibit-password.
|
|
||||||
+ default is yes.
|
|
||||||
|
|
||||||
If this option is set to prohibit-password (or its deprecated
|
|
||||||
alias, without-password), password and keyboard-interactive
|
|
||||||
Index: openssh-8.4p1/sshd_config.5
|
|
||||||
===================================================================
|
|
||||||
--- openssh-8.4p1.orig/sshd_config.5
|
|
||||||
+++ openssh-8.4p1/sshd_config.5
|
|
||||||
@@ -1331,7 +1331,7 @@ The argument must be
|
|
||||||
or
|
|
||||||
.Cm no .
|
|
||||||
The default is
|
|
||||||
-.Cm prohibit-password .
|
|
||||||
+.Cm yes .
|
|
||||||
.Pp
|
|
||||||
If this option is set to
|
|
||||||
.Cm prohibit-password
|
|
@ -5,6 +5,14 @@ Wed Feb 24 13:20:37 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
|
|||||||
/usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
|
/usr/share/ssh/ (openssh-8.4p1-vendordir.patch)
|
||||||
- Move configuration files from /etc/ssh/ to /usr/share/ssh/
|
- Move configuration files from /etc/ssh/ to /usr/share/ssh/
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 18 13:54:44 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||||
|
|
||||||
|
- Drop openssh-7.7p1-allow_root_password_login.patch to prevent login
|
||||||
|
as root via password by default (is also upstream default). Comment
|
||||||
|
indicates that this was a temporary meassure that we now had for
|
||||||
|
five years, time to get rid of it (bsc#1173067)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
Mon Feb 15 10:01:33 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
|
||||||
|
|
||||||
|
@ -58,7 +58,6 @@ Source11: README.FIPS
|
|||||||
Source12: cavs_driver-ssh.pl
|
Source12: cavs_driver-ssh.pl
|
||||||
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
|
||||||
Source14: sysusers-sshd.conf
|
Source14: sysusers-sshd.conf
|
||||||
Patch0: openssh-7.7p1-allow_root_password_login.patch
|
|
||||||
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
|
||||||
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
|
||||||
Patch4: openssh-7.7p1-eal3.patch
|
Patch4: openssh-7.7p1-eal3.patch
|
||||||
|
Loading…
Reference in New Issue
Block a user